File euc-kr-overrun.patch of Package glibc.33856

Fix buffer overrun in EUC-KR conversion module (bug 24973)

The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
area and is not allowed.  The from_euc_kr function used to skip two bytes
when told to skip over the unknown designation, potentially running over
the buffer end.

	[BZ #24973]
	* iconvdata/ksc5601.h (ksc5601_to_ucs4): Check for available bytes
	first.
	* iconvdata/euc-kr.c (BODY for FROM_LOOP): Don't check for unknown
	two-byte codes here.
	* iconvdata/Makefile (tests): Add bug-iconv13.
	* iconvdata/bug-iconv13.c: New file.
---
 iconvdata/Makefile      |  2 +-
 iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++
 iconvdata/euc-kr.c      |  6 +----
 iconvdata/ksc5601.h     |  6 ++---
 4 files changed, 58 insertions(+), 9 deletions(-)
 create mode 100644 iconvdata/bug-iconv13.c

Index: glibc-2.22/iconvdata/euc-kr.c
===================================================================
--- glibc-2.22.orig/iconvdata/euc-kr.c
+++ glibc-2.22/iconvdata/euc-kr.c
@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned c
 									      \
     if (ch <= 0x9f)							      \
       ++inptr;								      \
-    /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are		      \
-       user-defined areas.  */						      \
-    else if (__builtin_expect (ch == 0xa0, 0)				      \
-	     || __builtin_expect (ch > 0xfe, 0)				      \
-	     || __builtin_expect (ch == 0xc9, 0))			      \
+    else if (__glibc_unlikely (ch == 0xa0))				      \
       {									      \
 	/* This is illegal.  */						      \
 	STANDARD_FROM_LOOP_ERR_HANDLER (1);				      \
Index: glibc-2.22/iconvdata/ksc5601.h
===================================================================
--- glibc-2.22.orig/iconvdata/ksc5601.h
+++ glibc-2.22/iconvdata/ksc5601.h
@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s
   unsigned char ch2;
   int idx;
 
+  if (avail < 2)
+    return 0;
+
   /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
 
   if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
       || (ch - offset) == 0x49)
     return __UNKNOWN_10646_CHAR;
 
-  if (avail < 2)
-    return 0;
-
   ch2 = (*s)[1];
   if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
     return __UNKNOWN_10646_CHAR;